Updated on 2024-11-04 GMT+08:00

Access Control Policy Overview

After protection is enabled, CFW access control policies allow all traffic by default. Proper access control policies help you implement refined management and control on traffic between internal servers and the Internet, prevent internal threats from spreading, and enhance in-depth security.

Access Control Policy Types

Access control policies are classified into protection rules and blacklist/whitelist. Differences between protection rules and blacklist/whitelist shows more details. If traffic hits a policy, the action of the policy will be taken.

Table 1 Differences between protection rules and blacklist/whitelist

Type

Protected Object

Network Type

Action

Configuration Method

Protection rules

  • 5-tuple
  • IP address groups
  • Geographical locations
  • Domain names and domain name groups
  • EIP
  • Private IP address
  • If Block is selected, traffic will be blocked.
  • If Allow is selected, traffic will be allowed by protection rules and then checked by the intrusion prevention system (IPS).

Adding Protection Rules to Block or Allow Traffic

Blacklist

  • 5-tuple
  • IP address groups

Traffic is blocked directly.

Adding Blacklist or Whitelist Items to Block or Allow Traffic

Whitelist

Traffic is allowed by CFW and not checked by other functions.

Specification Limitations

To enable VPC border protection and NAT protection, use the CFW professional edition and enable VPC firewall protection.

Precautions for Configuring a Blocking Policy

The precautions for configuring a protection rule or a blacklist item for blocking IP addresses are as follows:

  1. You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
  2. Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
  3. Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
  4. When configuring region protection, take possible EIP changes into consideration.

Wildcard Rule

Parameter

Input

Description

Source/Destination

0.0.0.0/0

All IP addresses

Domain name

www.example.com

Domain name www.example.com

Domain name

*.example.com

All domain names ending with example.com, for example, test.example.com

Service - Source port or destination port

1-65535

All ports

Service - Source port or destination port

80-443

All ports in the range 80 to 443

Service - Source port or destination port

  • 80
  • 443

Ports 80 and 443

References